Re: [SM-DEVEL] Image extension issue in mime.php

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Friday 22 August 2008 09:17, Paul Lesniewski wrote:
> It's your commit, so maybe you can help.
>
> http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4
>-STABLE/squirrelmail/functions/mime.php?view=log#rev12370
>
> If this code is meant to stop "request forgeries through included
> images", I'd like to know more about what this means, since, as I
> noted, it wouldn't be hard for an attacker to substitute a dynamically
> executed script for an "image" file on the target server.  Or perhaps
> the file extension code is not specifically what fixed that actual
> issue and is only a side effect?

The patch is actually by Marc. He had some discussion about it with Tomas that 
I could find. As far as I can distill from the mails, but it's a bit of 
guesswork:

- IE interprets JavaScript when served within an "image" (that is, something 
linked from <img src="">.
- Apparently (?) it doesn't do this when the file has a regular image 
extension, it then processes it as an image. A typical Windows way of working 
I guess.

I'm not sure that that is what it's supposed to fix as the mails aren't too 
clear on that. I also don't use IE so can't easily verify this theory.

You could argue that pressing View Unsafe Images leaves you on your own which 
is sort of true, however, my perception of the function was to prevent remote 
tracking, and enabling it would not directly open you up to xss.

cheers,
Thijs